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DETAILED ACTION 

Response to Amendment 
This office action is in response to amendments and remarks filed on November 14, 
2006. Original application contained Claims 1-50. Applicant previously amended Claims 1, 3, 5- 
6, 1 1, 16, 25, 41-50, 58, and added new Claims 51-60, Applicant currently amended Claims 1, 3, 
19, 20, 25, 33, 39, 40-41, and 60. The amendment filed on November 14, 2006 have been 
entered and made of record. Presently Claims 1-60 are pending for consideration. 

Response to Arguments 
Applicant's arguments filed on November 14, 2006 with respect to Claims 1-60 
have been fully considered but are moot in view of the new ground(s) of rejection. 



Claim Rejections - 35 USC §102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
. basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 



Application/Control Number: 09/988,009 
Art Unit: 2131 



Page 3 



international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

Claims 1-60 are rejected under 35 U.S.C. 102(e) as being anticipated by Yaung et al. (U. 
S. Patent No. 6,446,069). 

1. Regarding Claim 1 Yaung teach and describe a system for selectively granting access to 
the functionality of a software application to a plurality of users, comprising: a first memory 
configured to store first data related to the software application, and second data specifying 
entitlements of each of the plurality of users to access a plurality of preset functions of the 
software application; and a rules checker in communication with the software application and the 
first memory (col. 5 line 58 to line 66, and col.6 line 30 to line 58), said rules checker (i.e. Access 
Control List ACL) configured to: 

receive at least one query, wherein the query is generated in response to an input received from 
one of the plurality of users with respect to the software application, and forward a message to 
the software application in response to the query, wherein the message is generated based on the 
query and the second data, wherein said message provides instructions to the software 
application regarding entitlements of one of the plurality of users to access at least one of the 
plurality of preset functions of the software application ( col.9 line 1 line 1 to col. 10 line 1 1). 

2. Regarding Claim 25, Yaung disclose a method for providing application-level security, 
said method comprising the steps of: storing first data relating to a software application; storing 
second data specifying entitlements of each a plurality of users to access a plurality of preset 
functions of the software application (col.5 line 58 to line 66, and col.6 line 30 to line 58), 



Application/Control Number: 09/988,009 Page 4 

Art Unit: 2131 

receiving a query, wherein the query is generated in response to an input from one of the 
plurality of users with respect to the software application; in response to the query, forwarding a 
message to the particular software application, said message being generated based on the second 
data and the query, and providing instructions to the particular software application regarding 
entitlements of the one of the plurality of users to access at least one of the plurality of preset 
functions of the software application( col.9 line 1 line 1 to col. 10 line 11). 

3. Regarding Claim 41, Yaung disclose a computer readable medium bearing instructions 

for providing application-level security, said instructions being arranged to cause one or more 

processors upon execution thereof to perform the steps of: storing first data relating to a software 

application; storing second data specifying entitlements of each of a plurality of users to access a 

plurality of preset functions of the software application (col.5 line 15 to line 66, and col.6 line 30 

to line 58); receiving a query, wherein the query is generated in response to an input from one of 

the plurality of users with respect to the software application; in response to the query, 

forwarding a message to the software application, said message being generated based on the 
» 

second data and the query, and providing instructions to the software application regarding 
entitlements of the one of the plurality of users to access at least one of the plurality of preset 
functions of the particular software application ( col.9 line 1 line 1 to col. 10 line 11). 

4. Regarding Claim 60, Yaung disclose a system for granting access to the functionality of 
software application, comprising: a first memory configured to store first data related to software 
application; the first memory further configured to store second data related to each of one or 
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more users of software application; and a rules checker in communication with the software 
application and the first memory (col. 5 line 58 to line 66, col.6 line 30 to line 58), said rules 
checker configured to: receive at least one query generated in response to an input received from 
one of the users with respect to the software application, and forward a message to the software 
application in response to the query; wherein said message provides instructions to the particular 
software application regarding entitlements of one of the users to access a particular one of the 
plurality of preset function of the software application, based on the role of the one of the users 
or a function to be performed by the one of the users ( col. 9 line 1 line 1 to col. 10 line 1 1). 

5. Claims 2-24, 26-40, and 42 -59 are rejected applied as above rejecting Claims 1, 25, and 
41. Furthermore, Yaung teach and describe, 

As per claim 2, wherein the first memory is a relational database (col. 4 line 51 to line 58). 

As per claim 3, wherein the software application is implemented on one of a mainframe 
and a distributed computing (col. 4 line 35 to line 50). 

As per claim 4, further comprising: a second memory configured to store proprietary data 
useful to the particular software application, and wherein said message provides information to 
the particular software application regarding authorization to output portions of the proprietary 
data (col.51ine 1 5 to line 22). 

As per claim 5, wherein the respective first data for each software application includes an 
identification of hierarchically arranged functions associated with that software application (col. 7 
line 35 to line 59). 
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As per claim 6, wherein the query further comprises information relating to the one of the 
users and relating to at least one of the functions associated with the particular software 
application, and wherein the message relates to that one user's authorization to access the at least 
one function (col. 8 line 23 to line 45)\ 

As per claim 7, wherein the identification of hierarchically arranged functions include 
functions, sub-functions, and sub-sub functions (col.7 line 35 to col.8 line 59, and col.lOline 55 
to line 56). 

As per claim 8, wherein the respective first data for each software application includes an 
identification of data fields associated with that software application (col.7 line 45 to line 60). 

As per claim 9, wherein the query further comprises information relating to one of the 
users and relating to at least one of the data fields associated with the particular software 
application, and wherein the message relates to that one user's authorization to access the at least 
one field (col.7 line 45 to line 60). 

As per claim 10, wherein the rules checker is further configured to: generate the message 
based on the query, the first data and the second data (col.9 line 1 to line 25). 

As per claim 11, wherein: the respective second data for each of the users includes at 
least one role, from among a plurality of roles, associated with that particular user, and the 
respective first data for each software application includes an identification of hierarchically 
arranged functions associated with that software application, and a description of which of the 
plurality of roles is entitled to access each of the functions (col.9 line 26 to col. 10 line 12). 

As per claim 12, wherein: the query includes an identification of a specific one of the 
users and a specific one of the functions associated with the particular software application; the 
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rules checker is further configured to generate the message based on the query, the first data and 
the second data; and the message instructs the particular' software application regarding that 
specific user's entitlement to access that specific function (col. 9 line 26 to col. 10 line 12). 

As per claim 13, wherein the rules checker logs data relating to an instance in which the 
specific user is not entitled to access that specific function (col.9 line 26 to col. 10 line 12). 

As per claim 14, wherein the respective second data for each of the users includes an 
access level from among a plurality of access levels, associated with that particular user, said 
access level determining an authorization of that particular user to access proprietary data within 
the second memory, and the rules checker is further configured to generate the message based on 
the query, the first data and the second data (col.8 line 45 to col.10 line 12). 

As per claim 15, further comprising: an administrative application configured to facilitate 
administration of the first and second data (col. 6 line 30 to line 57). 

As per claim 16, wherein the administrative application is further configured to 
manipulate the first data according to which of a plurality of clients the plurality of users is 
associated with (col.6 line 59 to line 65, and col.7 line 9 to line 24). 

As per claim 17, wherein the administrative application is further configured to 
manipulate the first data according to an identity of a particular one of the users (col.7 line 24 to 
line 35). 

As per claim 18, wherein the administrative application is further configured to 
manipulate the first data according to which of a plurality of roles a particular one of the users is 
associated with (col.7 line 36 to col.8 line 65). 
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As per claim 19, wherein the administrative application is further configured to 
manipulate all the first data relating to a specific one of the software application (col.7 line 36 to 
col.8 line 65). 

As per claim 20, wherein the administrative application is further configured to 
manipulate all the first data relating to one of a plurality of functions associated with the software 
application (col.7 line 36 to col.8 line 65). 

As per claim 21, further comprising: an auditing application configured to facilitate 
auditing of the first and second data and any additional data generated by the rules checker (col.7 
line 36 to col.8 line 65). 

As per claim 22, wherein the auditing application is further configured to provide a 
history, upon request, of messages forwarded by the rules checker (col.8 line 62 to line 67). 

As per claim 23,wherein the history emphasizes those messages related to a failed 
attempt to access the particular function (col.9 line 26 to line 44). 

As per claim 24,wherein the auditing application is further configured to provide a 
history, upon request, of changes to one or both of the first data and the second data (col.8 line 
62 to col.9 line 44). 

As per claim 26, further comprising the step of: generating the message based on the 
query, the first data and the second data (col.7 line 45 to col.8 line 50). 

As per claim 27, wherein the query includes an identification of the particular user and 
the function (col.7 line 60 to col.8 line 27). 

As per claim 28, wherein the second data includes for each user, one or more of an 
associated user ID, client name, role, and business level (col.8 line 45 to col.8 line 67). 
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As per claim 29, wherein the first data includes for each software application an 
identification of associated hierarchically arranged functions and characteristics of those users 
authorized to access each such function (col. 7 line 60 to col. 8 line 67). • 

As per claim 30, further comprising the steps of: correlating the first and second data to 
determine authorized functions, said authorized functions being those particular functions of 
each software application which are accessible by a specified user; generating the message based 
on the query and the determination of authorized functions, wherein said query includes an 
identification of the particular user and the function (col.7 line 60 to col.8 line 67, col.9 line 43 to 
col. 10 line 11). 

As per claim 31, wherein the first data includes for each software application an 
identification of associated data fields and characteristics of entitlements of users to each data 
field (col.7 line 60 to col.8 line 67, col.9 line 43 to col.10 line 1 1). 

As per claim 32, further comprising the steps of: correlating the first and second data to 
determine authorized data field operations, said authorized operations being those particular 
operations of each data field which are permitted to a specified user; and generating the message 
based on the query and the determination of authorized operations, wherein said query includes 
an identification of the particular user and of a predetermined data field (col.7 line 60 to col.8 
line 67, col.9 line 43 to col.10 line 1 1). 

As per claim 33, further comprising the steps of: storing proprietary data useful to the 
software application; and storing third data relating to accessibility of the proprietary data (col.7 
line 60 to col.8 line 67, col.9 line 43 to col.10 line 64). 
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As per claim 34, further comprising the steps of: correlating the first, second and third 
data to determine authorized data accesses aid authorized data accesses being those particular 
data accesses of the proprietary data which are permitted to a specified user; and generating the 
message based on the query and the determination of authorized data accesses, wherein said 
query includes an identification of the particular user and of predetermined proprietary data 
(col.7 line 60 to col.8 line 67, and col.9 line 43 to col. 10 line 64). 

As per claim 35, further comprising the step off creating a log entry relating to the 
message if the message indicates instructions which prohibit the particular software application 
access to the function (col.9 line 26 to line 42). 

As per claim 36, further comprising the step of: administering the first and second data by 
manipulating one or both of the first and second data according to which of a plurality of clients 
the plurality of users is associated with (col.7 line 60 to col.8 line 67, and col.9 line 43 to col. 10 
line 64). 

As per claim 37, further comprising the step of: administering the first and second data by 
manipulating one or both of the first and second data according to the identity of a particular one 
of the users (col.7 line 60 to col.8 line 67, and col.9 line 43 to col. 10 line 64). 

As per claim 38, further comprising the step of: administering the first and second data by 
manipulating one or both of the first and second data according to which of a plurality of roles 
the plurality of users is associated with (col.7 line 60 to col.8 line 67, and col.9 line 43 to col. 10 
line 64). 
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As per claim 39, further comprising the step of: administering the first and second data by 
manipulating all the first data relating to a specific one of the software application (col.7 line 60 
to col.8 line 67, and col. 9 line 43 to col. 10 line 64). 

As per claim 40, further comprising the step of: administering the first and second data by 
manipulating all the first data relating to one of the plurality of the plurality of preset functions 
associated with the software application (col.7 line 34 to col.8 line 67, and col.6 line 30 to line 
57). 

As per claim 42, further comprising: a non- volatile data store indicating a hierarchical 
arrangement of the plurality of access levels, and wherein the rules checker is further configured 
to consult the data store when determining the authorization of that particular user (col.7 line 34 
to col.8 line 67, and col.6 line 30 to line 57). 

As per claim 43, wherein the auditing application is further configured to provide real- 
time data logging and retrieval (col.7 line 9 to line 23). 

As per claim 44, wherein any updates to data within the relational database are performed 
in real-time and the rules checker is further configured to use the updated data (col.7 line 9 to 
line 51). 

As per claim 45, wherein the particular software application is a simulation application, 
said Simulation application is configured to: provide in the query to the rules checker a simulated 
user identity and a simulated secured resource identity; receive from the rules checker the 
message forwarded by the rules checker; and determine the entitlements of the simulated user to 
access the simulated secured resource (col.6 line 30 to col.8 line 26). 
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As per claim 46, wherein the query requests a listing of entitlements for the one user, said 
listing identifying the entitlements for every application, function or proprietary data associated 
with the one user, and wherein the message includes said listing (col.6 line 30 to col. 8 line 26). 

As per claim 47, wherein query includes filtering parameters such that the listing includes 
only those entitlements which satisfy the filtering parameters (col.6 line 30 to col. 8 line 26). 

As per claim 48, wherein the filtering parameters specify one or more of a user role, a 
function identity, an application identity, a user identity, and a data access level (col.6 line 30 to 
col.8 line 26). 

As per claim 49, wherein the authorization of the particular user to access proprietary 
data depends, at least in part, on the particular software application identity (col.6 line 30 to col.8 
line 26). 

As per claim 50, wherein the authorization of the particular user to access proprietary 
data depends, at least in part, on the particular function identity (col.6 line 30 to col.8 line 26). 

As per claim 51, wherein the one of the users utilizes a remote system to access the 
particular function of the particular software application, and is not signed on to the operating 
system based on which the rules checker operates (col. 4 line 20 to line 50). 

As per claim 52, wherein: the one of the users is an organization; and the second data 
specifies entitlements of the organization to access one or more functions of the particular 
software application, and entitlements of at least one individual user in the organization to access 
at least one of the one or more functions of the particular software application that the 
organization is entitled to access (col.6 line 30 to col.8 line 26). 
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As per claim 53, wherein: the one of the users is an organization having associated 
proprietary data; the second data includes an access level associated with an individual user 
within the organization, wherein the access level is selected from among a plurality of access 
levels arranged in a hierarchical structure, and specifies an authorization to access at least part of 
the proprietary data associated with the organization; and the individual user is entitled to access 
all data accessible to an access level hierarchically subordinate to the access level associated with 
the individual user (col. 6 line 30 to col. 8 line 67). 

As per claim 54, wherein more than one hierarchical structure is provided, each of the 
more than one hierarchical structure is associated with a function of the organization, an 
organization structure of the organization, or geographical regions (Fig. 1, col.4 line 20 to line 
58). 

As per claim 55, wherein the access level is assigned to the individual user based on the 
individual user's role within the organization or the individual user's job function (col. 6 line 30 
to col.8 line 67). 

As per claim 56, wherein: the one of the users is an organization having associated 
proprietary data; and the second data specifies an authorization granted to an individual user of 
the organization to access at least part of the proprietary data associated with the organization, 
based on a function to be performed by the individual user (col. 6 line 30 to col.8 line 67). 

As per claim 57, wherein the message includes that one user's authorized action on the at 
least one field, or the appearance of the at least one field to that one user (col. 6 line 30 to line 
57,and col.7 line 45 to line 60). 
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As per claim 58, wherein the entitlements of the plurality of users are dynamically 
configurable without the need to have a specific user to sign-off and sign-on again (col. 9. line 26 
to line 43). 

As per claim 59, wherein the one of the users is an organization; and the second data 
specifies entitlements of the organization to access one or more functions of the particular 
software application, and entitlements of a role of the organization to access at least one of the 
one or more functions of the particular software application that the organization is entitled to 
access; and a least one individual user of the organization is assignable to the role (col.9 line 26 
tocol.10 line 11). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Syed Zia whose telephone number is 571-272-3798. The 
examiner can normally be reached on 9:00 to 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 



» 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




